How to Set Up a File Server on Windows Server 2012 R2
A file server is one of the most ubiquitous roles in any Windows Server environment, providing centralised, managed storage for user data, departmental shares, and application data. Windows Server 2012 R2 delivers an upgraded File and Storage Services role with SMB 3.0, File Server Resource Manager (FSRM) for quotas and file screens, work folders for BYOD synchronisation, and deep integration with Active Directory for permissions management.
This guide covers installing File Services, creating shares, configuring NTFS and share permissions, setting up quotas and file screens with FSRM, enabling shadow copies (Previous Versions), and monitoring the file server — all using Server Manager and PowerShell.
Prerequisites
- Windows Server 2012 R2 joined to the domain.
- One or more data volumes for shares (separate from the OS volume is strongly recommended).
- AD users and groups pre-created for permission assignment.
- Local Administrator or equivalent account.
Step 1: Install File Server and Related Services
# Install File Server role and related features
Install-WindowsFeature -Name `
FS-FileServer, `
FS-Resource-Manager, `
FS-Data-Deduplication `
-IncludeManagementTools
# Verify installed features
Get-WindowsFeature -Name FS-* |
Where-Object { $_.InstallState -eq "Installed" } |
Select-Object Name, DisplayNameStep 2: Create and Share Folders
The SMB protocol (version 3.0 on Windows Server 2012 R2) is used for all Windows file sharing. PowerShell’s SmbShare module provides complete management of shares.
# Create directory structure on the data volume
New-Item -Path "D:SharesFinance" -ItemType Directory
New-Item -Path "D:SharesHR" -ItemType Directory
New-Item -Path "D:SharesIT" -ItemType Directory
New-Item -Path "D:SharesGeneral" -ItemType Directory
# Create an SMB share for the Finance department
New-SmbShare `
-Name "Finance$" `
-Path "D:SharesFinance" `
-Description "Finance Department Private Share" `
-FolderEnumerationMode AccessBased `
-ChangeAccess "CORPFinance-Staff" `
-ReadAccess "CORPFinance-Managers" `
-FullAccess "CORPDomain Admins","CORPFinance-Managers"
# Create a general-purpose share
New-SmbShare `
-Name "General" `
-Path "D:SharesGeneral" `
-Description "All Staff General Share" `
-ReadAccess "Everyone" `
-FullAccess "CORPDomain Admins"
# List all SMB shares
Get-SmbShare | Select-Object Name, Path, Description
# View share access (SMB permissions only)
Get-SmbShareAccess -Name "Finance$"Step 3: Configure NTFS Permissions
SMB share permissions control network access, but NTFS permissions on the underlying folder provide the true access control. Best practice is to grant Full Control to Everyone at the share level and manage all access through NTFS permissions.
# Set NTFS permissions on the Finance share folder
# First, get the current ACL
$acl = Get-Acl -Path "D:SharesFinance"
# Disable inheritance and convert existing inherited entries
$acl.SetAccessRuleProtection($true, $false)
# Remove all existing entries
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
# Add: Domain Admins - Full Control
$ace1 = New-Object System.Security.AccessControl.FileSystemAccessRule(
"CORPDomain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ace1)
# Add: Finance-Managers - Modify
$ace2 = New-Object System.Security.AccessControl.FileSystemAccessRule(
"CORPFinance-Managers", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ace2)
# Add: Finance-Staff - ReadAndExecute
$ace3 = New-Object System.Security.AccessControl.FileSystemAccessRule(
"CORPFinance-Staff", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($ace3)
# Apply the ACL
Set-Acl -Path "D:SharesFinance" -AclObject $acl
# Verify the NTFS permissions
(Get-Acl -Path "D:SharesFinance").Access |
Select-Object IdentityReference, FileSystemRights, AccessControlTypeStep 4: Configure Quotas with FSRM
File Server Resource Manager quotas limit how much storage a shared folder or user can consume, preventing a single user from filling the volume and impacting everyone else.
# Create a quota template: 5 GB hard limit
New-FsrmQuotaTemplate `
-Name "5GB Hard Limit" `
-Description "5 GB hard quota with 80% and 95% warnings" `
-Size 5GB `
-Threshold @(
New-FsrmQuotaThreshold -Percentage 80 -Action @(
New-FsrmAction Email `
-MailTo "[Admin Email]" `
-Subject "Quota Warning: [Quota Path]" `
-Body "The quota on [Quota Path] has reached 80%."
);
New-FsrmQuotaThreshold -Percentage 95 -Action @(
New-FsrmAction Email `
-MailTo "[Admin Email]" `
-Subject "Quota Critical: [Quota Path]" `
-Body "The quota on [Quota Path] has reached 95%."
)
)
# Apply a quota to a share path
New-FsrmQuota -Path "D:SharesHR" -Template "5GB Hard Limit"
# View current quotas
Get-FsrmQuota | Select-Object Path, Size, Usage, PeakUsageStep 5: Configure File Screens
File screens prevent users from storing unauthorised file types (MP3s, executable files, videos) on corporate shares.
# View available file groups
Get-FsrmFileGroup | Select-Object Name
# Create a file screen to block audio and video files
New-FsrmFileScreen `
-Path "D:SharesFinance" `
-Template "Block Audio and Video Files" `
-Active
# Create a custom file screen
New-FsrmFileScreenTemplate `
-Name "Block Executables" `
-Description "Block EXE, MSI, BAT, CMD files" `
-IncludeGroup "Executable Files"
New-FsrmFileScreen `
-Path "D:SharesGeneral" `
-Template "Block Executables"
# List active file screens
Get-FsrmFileScreen | Select-Object Path, Template, ActiveStep 6: Enable Shadow Copies (Previous Versions)
Shadow Copies allow users to recover previous versions of files themselves without involving an administrator or restoring from backup.
# Enable shadow copies on the D: volume with default schedule
$task = Get-ScheduledTask -TaskName "ShadowCopyVolume*" -ErrorAction SilentlyContinue
# Enable via vssadmin
vssadmin Add ShadowStorage /For=D: /On=D: /MaxSize=15%
# Create shadow copy schedule via schtasks (7:00 AM and 12:00 PM daily)
schtasks /create /tn "ShadowCopyD_0700" /tr "vssadmin create shadow /For=D:" /sc daily /st 07:00
schtasks /create /tn "ShadowCopyD_1200" /tr "vssadmin create shadow /For=D:" /sc daily /st 12:00
# Create an immediate shadow copy
vssadmin create shadow /For=D:
# List existing shadow copies
vssadmin list shadows /For=D:
# List shadow storage
vssadmin list shadowstorageStep 7: Enable Data Deduplication
Data Deduplication, installed earlier, can significantly reduce storage consumption on general-purpose file shares by storing only one copy of duplicate data.
# Enable deduplication on the D: volume for general file shares
Enable-DedupVolume -Volume D: -UsageType GeneralPurpose
# Set the minimum file age before deduplication runs (days)
Set-DedupVolume -Volume D: -MinimumFileAgeDays 3
# Start a manual deduplication job
Start-DedupJob -Type Optimization -Volume D: -Priority Normal
# Check deduplication savings
Get-DedupStatus | Select-Object Volume, SavingsRate, SavedSpace, FreeSpaceSummary
A well-configured file server on Windows Server 2012 R2 combines SMB 3.0 shares with layered NTFS permissions, FSRM quotas and file screens, shadow copies for self-service file recovery, and data deduplication for storage efficiency. The recommended permission model is: share-level permissions grant full access to the relevant groups, and NTFS permissions handle the granular access control with inheritance for subfolders. Always enable shadow copies on file server volumes so users can recover accidentally deleted or overwritten files, and implement FSRM quotas and file screens proactively to prevent storage abuse before it becomes a capacity incident.
